6 HIPAA updates you need to know

By Walt Whitley, O.D., Jason Miller, O.D., and Chuck Brownlow, O.D.

Medical record compliance audits are looming. As Medicare and the Department of Health & Human Services (HHS) Office of Inspector General continue to work to ensure compliance, you must ensure everyone in your practice is aware of and complying with critical regulations.

The Health Insurance Portability and Accountability Act (HIPAA) represents one set of regulations. Is your office up to date on HIPAA?

The HIPAA Privacy and Security Rules are federal law. The Privacy Rule gives individuals rights over their health information and sets rules and limits on who can look at and receive health information. The Security Rule offers safeguards to protect health information in electronic form and ensures protected health information (PHI) is secure.

All individuals, organizations, and agencies that meet the definition of a "covered entity" must comply with these regulations. As an optometrist, you are considered a "covered entity" if you transmit any information in electronic form in connection with a transaction for which the HHS has adopted a standard. For example, submitting an electronic claim to Medicare or another payer is such a transaction.

Even if you know the basics of HIPAA, it's helpful to review critical updates to these regulations. Updates to HIPAA implemented this year include:

1. Marketing and fundraising

The final rules address multiple privacy issues related to uses and disclosures of protected health information. These include:

Disclosures of PHI to persons involved in a patient's care or payment for care, and

Disclosures of student immunization records.

2. Perform researchNotice of privacy practices (NPP)

Most covered entities are required to have an NPP, which describes uses and disclosures of protected health information a covered entity is allowed to make. This notice includes legal duties and privacy practices with respect to protected health information and patients' rights.

3. Business associate agreements

HIPAA rules require covered entities to enter into contracts that ensure their business associates will appropriately safeguard PHI. This serves to both clarify and limit the permissible uses and disclosures of such information by the business associate, based on the relationship between the parties and the activities or services being performed.

4. Breaches of protected health information

"Breach" is generally defined as the unauthorized acquisition, access, use or disclosure of PHI that compromises its security or privacy. Health care practitioners may be required to notify affected patients, the HHS, and even the media in the event of a breach. If the protected health information is secured by encryption, the security or privacy is generally not considered compromised.

5. Patient access to health records

This update allows patients to request electronic copies of their PHI.

6. Patient rights when paying out of pocket

When patients pay out of pocket for services rendered, they can prohibit health care providers from disclosing their health information to a health plan.